The ancient IRC protocol is back in action, thanks to SSHStalker’s Linux botnet exploiting cloud servers for profit

The ancient IRC protocol is back in action, thanks to SSHStalker’s Linux botnet exploiting cloud servers for profit

https://www.techradar.com/pro/does-anyone-even-remember-irc-a-new-linux-botnet-uses-some-incredibly-old-school-methods-to-cut-costs

Publish Date: 2026-02-14 17:20:00

Source Domain: www.techradar.com

• SSHStalker uses IRC channels and multiple bots to control infected Linux hosts
• Automated SSH brute-forcing rapidly spreads the botnet through cloud server infrastructures
• Compilers are downloaded locally to build payloads for reliable cross-distribution execution

SSHStalker, a recently discovered Linux botnet, is apparently relying on the classic IRC (Internet Relay Chat) protocol to manage its operations.

Created in 1988, IRCwas once the dominant instant messaging system for technical communities due to its simplicity, low bandwidth needs, and cross-platform compatibility.

Unlike modern command-and-control frameworks, SSHStalker uses multiple bots, redundant channels, and servers to maintain control over infected devices while keeping operational costs low.

You may like

Botnet structure and command infrastructure

SSHStalker’s malware achieves initial access through automated SSH scanning and brute-force attacks, and then uses a Go-based binary disguised as the open-source network tool nmap to infiltrate servers.

Researchers from security firm Flare documented nearly 7,000 bot scan results in a single month, mainly targeting cloud infrastructure, including Oracle Cloud environments.

Once a host is compromised, it becomes part of the botnet’s propagation mechanism, scanning other servers in a worm-like pattern.

After infection, SSHStalker downloads the GCC compiler to build payloads directly on the compromised system, which ensures its C-based IRC bots can run reliably across different Linux distributions.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

These bots contain hard-coded servers and channels that enroll the host into the IRC-controlled botnet.

Additional payloads named GS and bootbou provide orchestration and execution sequencing, effectively creating a scalable network of infected machines under centralized IRC control.

Persistence on each host is maintained through cron jobs…

Source